New Ransomware Strain Halts Toll Group Deliveries

Australian transportation and logistics company Toll Group stated today that systems across multiple sites and business units were encrypted affected by a ransomware called the Mailto ransomware.

This ransomware family is known as Mailto but based on decryptor names the ransomware's authors dubbed it NetWalker.

According to ID Ransomware stats, between 1 and 16 NetWalker ransom notes and/or sample encrypted files have been submitted per day for analysis during the last 30 days.

Toll Group, a subsidiary of Japan Post Holdings since 2015, is Asia Pacific's leading provider of logistics services, employing roughly 44,000 people on 1,200 locations in more than 50 countries.

The company reported revenue of $8.7 billion and earnings of $127 million before interest and tax per its full-year results for 2019.

Service disruption and systems shut down

Toll Group said that it had to shut down multiple systems in response to a ransomware attack on Sunday night, February 2, with several customer-facing applications being impacted as a result.

"Our immediate focus is on bringing our systems back online in a controlled and secure manner. Business continuity plans have been activated to maintain customer service and operations," Toll added in a follow-up statement issued the next day.

"We can confirm the cyber security incident is due to a targeted ransomware attack which led to our decision to immediately isolate and disable some systems in order to limit the spread of the attack," the logistics company added in an update published yesterday.

"At this stage, we have seen no evidence to suggest any personal data has been lost. We’re continuing to undertake a thorough investigation and we’re working around the clock to restore normal services at the earliest opportunity."

As a result of our decision to disable certain systems following a recent cyber security threat, we’re continuing to meet the needs of many of our customers through a combination of manual and automated processes across our global operations, although some are experiencing delay or disruption. For our parcels customers, all of our processing centres are continuing to operate including pick up, processing and dispatch albeit at reduced speed in some cases. While the online booking platform has been temporarily disabled, parcels customers can book deliveries by calling our contact centres. - Toll Group (February 4)

Another update published earlier today stated that the ransomware used to encrypt Toll Group's systems is a new variant of the Mailto ransomware.

"We have shared samples of the relevant variant with law enforcement, the Australian Cyber Security Centre, and cybersecurity organizations to ensure the wider community is protected.

There continues to be no indication that any personal data has been lost as a result of the ransomware attack on our It systems. We continue to monitor this as we work through a detailed investigation."

Today's update also says that customers are now able to access to company's services "across large parts of the network globally including freight, parcels, warehousing and logistics, and forwarding operations."

Following the disabling of some of our IT systems, we’re continuing to meet the needs of many of our customers through a combination of manual and automated processes across our global operations, although some are experiencing delay or disruption. More : https://t.co/QOHRTkG5Nn

— Toll Group (@Toll_Group) February 4, 2020

Freight volumes are also returning to normal levels due to a combination of manual and automated processes designed to run the procedures previously powered by the impacted IT systems.

Toll has also increased staff numbers at contact centers to respond to all customer service requests. However, some customers are still experiencing disruption and delays while the company is working to bringing IT systems back online.